Geneva, Switzerland, 15-16 September 2014
ENISA role in ICT standardization
Sławomir Górniak,ENISA
ITU Workshop on “ICT Security Standardizationfor Developing Countries”
(Geneva, Switzerland, 15-16 September 2014)
European Union Agencyfor Network and Information Security
Established in 2004Centre of expertise: Writing reports that analyse data on security practices in Europe and on emerging risks (e.g. cloud computing, exercises, national contingency plans) Supporting the European Commission & Member States in their policy initiatives (e.g. setting up and training CERTs, seminars for national exercises)Facilitating cross-border cooperation (e.g. supporting cyber security exercises)Ensuring a coherent pan-European approach (e.g. supporting the implementation of article 13a)
Geneva, Switzerland, 15-16 September 2014 2
ENISA activities
Hands on
Policy ImplementationRecommendations
Mobilising Communities
Geneva, Switzerland, 15-16 September 2014 3
ENISA efforts
Identification of risks associated with new technologies affecting the daily life of citizensCyber crisis cooperation at EU and international level and development of capabilitiesFacilitating Public-Private cooperationImproving transparency of security incidentsEnabling communities to improve NIS: capacity building with regard to the CERT community and application of good practice for CERTsEnsuring a strong EU response to cybercrimeSupporting R&D investments and strengthen the competitiveness of EU’s security industryPromote personal data protection
Geneva, Switzerland, 15-16 September 2014 4
ENISA and SDOsEstablished collaboration agreements with:
ISO SC27 (Liaison)ETSI (MoU)
Exchange of information of mutual interestOrganisation of joint meetings and workshops ENISA to channel standardisation activities to ETSI, if appropriateExchange of working documents, within well defined framesENISA to nominate observers for ETSI Technical Bodies
CEN CENELEC (MoU)ITU (MoU started!)
ENISA aligns key activities with the work of SDOsETSI TISPAN on CIIP, ESI on eID, CLOUD on cloud certificationCEN CENELEC on smart grids;ISO SC 27 in the area of privacy;
Geneva, Switzerland, 15-16 September 2014 5
Example: Security measures for smart grids - conceptual model
Milestones:1st version, ENISA publication, Dec 20122nd version, EG2 security measures, April 2014Mapping between security measures and M/490 SGIS security levels
ApproachRisk instead of compliance based approachThree level approach
Risk assessment (by operators)Appropriate measures (baseline)3 Sophistication levels per each measure (implementation sophistication)
11 control domains 42 measures
Control Domains - set of practices
CD1 – Security Governance CD2 CDN
Info
rmati
on
secu
rity
pol
icy
Org
aniz
ation
of
info
rmati
on
secu
rity
Info
rmati
on
secu
rity
pr
oced
ures
3
Soph
isti
cati
on le
vels
2
1
• Requirement 1• Requirement 2• ..
• ..• ..• ..
• ..• ..• ..
• ..• ..• ..
• ..• ..• ..
• ..• ..• ..
• ..• ..• ..
• ..• ..• ..
• ..• ..• ..
Requirements
Matrix applied for the method
to define Security
Measures
Secu
rity
Mea
sure
s
Geneva, Switzerland, 15-16 September 2014 6
European Union Agency for Network and Information SecurityScience and Technology Park of Crete P.O. Box 1309 71001 HeraklionCreteGreece
Follow ENISA
http://www.enisa.europa.eu